New Data Protection Regime Part 1

The following blog in two parts was written by our research student, Shaun McPhee

The General Data Protection Regulations (GDPR) are a radical shake-up of EU data protection law, which entered into force on 25 May 2016. This aggressive piece of legislation attempts to regulate the control of EU residents’ data, far beyond the borders of the EU, and more strictly than ever before. The effects will be felt by diverse businesses worldwide, with those businesses in ecommerce, healthcare (including ehealth), and big data being particularly affected.

Whilst the GDPR will not actually be enforced until 25 May 2018, it imposes onerous obligations on data controllers and processors, which should be planned for well in advance. Penalties are increasing from a maximum of £100,000 (in the UK) to the greater of €20m (£17m) or 4% of global turnover – numbers which deserve serious attention, even from those businesses with robust privacy protection in place.

Territorial Scope

Unlike previous data protection rules, the GDPR apply to all EU organisations, as well as to non-EU organisations which offer goods or services to, or monitor behaviour of, individuals within the EU. This means that many organisations not currently subject to EU data protection requirements, will soon become so.

The rules cover all data controllers and processors ‘established’ in the EU, where personal data is processed ‘in the context of their activities’. The European Court of Justice has previously interpreted ‘established’ broadly, in the context of data protection, covering “any real and effective activity – even a minimal one”. Even those organisations with a tiny EU presence will be required to comply in full.

Where no EU presence exists but where personal data of those within the EU is processed in the provision of goods or services, the GDPR will apply. Simply having a website which is accessible from the EU will not give rise to compliance requirements, though actively offering goods or services to the EU market will. Factors which could be considered include the option of ordering in a language other than that of the controller’s home country or the availability of pricing in a Member State currency. The GDPR will also apply to any organisation which monitors the behaviour of individuals within the EU – such as through the use of cookies.